一、建立自簽憑證提供網站使用SSL

  參考: http://kirby86a.pixnet.net/blog/post/118029825-centos-7-%E5%BB%BA%E7%AB%8B%E7%A7%81%E6%9C%89%E6%86%91%E8%AD%89

二、安裝Apache與設定

      1.安裝Apache與php-fpm

         yum install -y httpd httpd-tools php-fpm

      2.安裝SSL套件 

          yum install -y mod_ssl openssl

      3.設定 apache 設定檔

        vi /etc/httpd/conf/httpd.conf

        

        #
        # ServerAdmin: Your address, where problems with the server should be
        # e-mailed. This address appears on some server-generated pages, such
        # as error documents. e.g. admin@your-domain.com
        #

        #改成你自己的系統管理者電子郵件信箱
        ServerAdmin root@yourdomain 

        #
        # ServerName gives the name and port that the server uses to identify itself.
        # This can often be determined automatically, but we recommend you specify
        # it explicitly to prevent problems during startup.
        #
        # If this is not set to valid DNS name for your host, server-generated
        # redirections will not work. See also the UseCanonicalName directive.
        #
        # If your host doesn't have a registered DNS name, enter its IP address here.
        # You will have to access it by its address anyway, and this will make 
        # redirections work in a sensible way.
        #
        #ServerName www.example.com:80 

        #改成你自己的主機名稱
        ServerName yourdomain:80

        <Directory "/var/www/html"> 
          #Options Indexes FollowSymLinks 
          Options FollowSymLinks <==拿掉 Indexes,當找不到index.html時,不顯示整個目錄下的檔案
          AllowOverride None
          Order allow,deny
          Allow from all
        </Directory>

        #設定mod_mpm_event相關參數

        <IfModule mpm_event_module>
         StartServers             3
         MinSpareThreads          25
         MaxSpareThreads          75
         ThreadLimit              64
         ThreadsPerChild          25
         MaxRequestWorkers        30
         MaxConnectionsPerChild   1000
        </IfModule>

      4.替換Server mpm

         vi /etc/httpd/conf.modules.d/00-mpm.conf

        加上#符號關閉原有mpm套件

        #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

        移除#符號啟用新的套件

        LoadModule mpm_event_module modules/mod_mpm_event.so

       5.編輯php-fpm設定檔

         vi /etc/php-fpm.d/www.conf

         ;listen = 127.0.0.1:9000

         listen = /var/run/php-fpm/default.sock

         listen.allowed_clients = 127.0.0.1

         listen.owner = apache

         listen.group = apache

         listen.mode = 0600

       6.新增php-fpm給apache使用的設定檔

         vi /etc/httpd/conf.d/php.conf

         

# Tell the PHP interpreter to handle files with a .php extension.

# Proxy declaration
<Proxy "unix:/var/run/php-fpm/default.sock|fcgi://php-fpm">
	# we must declare a parameter in here (doesn't matter which) or it'll not register the proxy ahead of time
    	ProxySet disablereuse=off
</Proxy>

# Redirect to the proxy
<FilesMatch \.php$>
	SetHandler proxy:fcgi://php-fpm
</FilesMatch>

#
# Allow php to handle Multiviews
#
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following lines to allow PHP to pretty-print .phps
# files as PHP source code:
#
#<FilesMatch \.phps$>
#	SetHandler application/x-httpd-php-source
#</FilesMatch>

 

 

 

      7.開啟防火牆80 port,CENTOS 7 開始更改防火牆設定請依下列步驟開放,永久開放下列兩個通訊埠

          新增80、443 port

      firewall-cmd --add-port=80/tcp --permanent
      firewall-cmd --add-port=443/tcp --permanent
      更新防火牆規則
      firewall-cmd --reload
      查看zone,依據該值執行相關查詢防火牆設定指令
      firewall-cmd --get-default-zone
      查看現在zone開放的服務
      firewall-cmd --zone=public --list-all
      查看防火牆永久設定
      firewall-cmd --zone=public --list-all --permanent
   8.設定SELinux規則,以免某些php程式無法執行
        setsebool -P httpd_read_user_content 1
        setsebool -P httpd_anon_write 1
        setsebool -P httpd_can_network_connect_db 1
        setsebool -P httpd_can_check_spam 1
        setsebool -P httpd_can_network_memcache 1
        setsebool -P httpd_can_sendmail 1
        setsebool -P httpd_enable_homedirs 1
        setsebool -P httpd_execmem 1
        setsebool -P httpd_mod_auth_pam 1
        setsebool -P httpd_use_sasl 1
        setsebool -P httpd_verify_dns 1

 

            啟動apache後檢查var/log/httpd/error_log 看看是不是有AH00035錯誤,若有則執行下列語法

               restorecon - R 有錯的目錄或檔案名稱

               setsebool -P httpd_enable_homedirs 1

              chcon -R --type=httpd_sys_content_t 有錯的目錄或檔案名稱

           使用指令檢視目錄SELINUX屬性

               ls -Z

    9.停止與啟動 apache php-fpm

           (1)開機自動啟動 

                systemctl enable php-fpm

                systemctl enable httpd

           (2)啟動或停止php-fpm

        systemctl start php-fpm
        或 
        service php-fpm start
        重新啟動
        systemctl restart php-fpm
        停止
        systemctl stop php-fpm

           (3)啟動或停止apache

        systemctl start httpd
        或 
        service httpd start
        重新啟動 apache
        systemctl restart httpd
        停止apache
        systemctl stop httpd
        檢視執行狀態 systemctl status httpd.service

 

 備註:同時重啟動apache、php-fpm

systemctl restart httpd php-fpm && systemctl enable httpd php-fpm

          

三、設定/etc/httpd/conf.d/ssl.conf 設定新建立的憑證位置,請將紅色文字修改為自己建立的憑證檔
       找到下列文字:
        #   Server Certificate:
        # Point SSLCertificateFile at a PEM encoded certificate.  If
        # the certificate is encrypted, then you will be prompted for a
        # pass phrase.  Note that a kill -HUP will prompt again.  A new
        # certificate can be generated using the genkey(1) command.
        #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
        SSLCertificateFile /etc/pki/yourdomain/certs/yourdomain.crt

        #   Server Private Key:
        #   If the key is not combined with the certificate, use this
        #   directive to point at the key file.  Keep in mind that if
        #   you've both a RSA and a DSA private key you can configure
        #   both in parallel (to also allow the use of DSA ciphers, etc.)
        #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
        SSLCertificateKeyFile /etc/pki/yourdomain/private/yourdomain.key
        
        #SSLv3或以下版本有安全性問題,故關閉該功能
        SSLProtocol all -SSLv2 -SSLv3

四、啟用SSL
     方法一、設定Apache虛擬主機

     1.備份/etc/httpd/conf/httpd.conf

     2.於/etc/httpd/conf/httpd.conf
       檔案後面加上下列字串

            # Listen for virtual host requests on all IP addresses

            #NameVirtualHost *:443

            # Go ahead and accept connections for these vhosts

            # from non-SNI clients

            SSLStrictSNIVHostCheck off

 
       <VirtualHost *:443>
         SSLEngine on
         SSLCertificateFile /etc/pki/yourdomain/certs/yourdomain.crt
         SSLCertificateKeyFile /etc/pki/yourdomain/private/yourdomain.key
         <Directory /var/www/html/受保護的目錄>
           AllowOverride All
         </Directory>
         DocumentRoot /var/www/html/受保護的目錄
         ServerName www.yourdomain
       </VirtualHost>
       #設定重導向,http重導向為https,需安裝mod_rewrite
       RewriteEngine on
       RewriteCond %{SERVER_PORT} !^443$
       RewriteRule ^(.*)?$ https://%{SERVER_NAME}$1 [L,R]

      3. 重新啟動apache 
         systemctl restart httpd

      方法二、
      編輯/etc/httpd/conf.d/ssl.conf

          Listen 443 
          <VirtualHost _default_:443>
            # General setup for the virtual host, inherited from global configuration
            #DocumentRoot "/var/www/html"
            #ServerName www.example.com:443
            DocumentRoot "/var/www/受保護的目錄"
            ServerName *:443 
            # SSL Engine Switch:
            # Enable/Disable SSL for this virtual host. 
            SSLEngine on 
            # SSL Cipher Suite:
            # List the ciphers that the client is permitted to negotiate.
            # See the mod_ssl documentation for a complete list. 
            SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
            # Server Certificate:
            # Point SSLCertificateFile at a PEM encoded certificate. If
            # the certificate is encrypted, then you will be prompted for a
            # pass phrase. Note that a kill -HUP will prompt again. A new
            # certificate can be generated using the genkey(1) command.
            #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
            SSLCertificateFile /etc/pki/yourdomain/certs/yourdomain.crt
            # Server Private Key:
            # If the key is not combined with the certificate, use this
            # directive to point at the key file. Keep in mind that if
            # you've both a RSA and a DSA private key you can configure
            # both in parallel (to also allow the use of DSA ciphers, etc.)
            #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
            SSLCertificateKeyFile /etc/pki/yourdomain/private/yourdomain.key
         </VirtualHost>

 

備註:

       檢查某模組安裝狀態,例:mod_deflate

       方法1:

                [root@ts1 ~]# apachectl -t -D DUMP_MODULES | grep deflate

                deflate_module (shared)

      方法2:

                [root@ts1 ~]# more /etc/httpd/conf.modules.d/00-base.conf | grep deflate

                LoadModule deflate_module modules/mod_deflate.so

        檢查 apache 版本

            httpd -v

            httpd -V

        檢查 apache 載入模組

            http -M

參考資料:

https://www.tecmint.com/apache-performance-tuning/

https://disp.cc/b/11-9Tlm

https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

https://www.stephenrlang.com/2018/02/centos-7-apache-2-4-with-php-fpm/

https://wiki.centos.org/zh-tw/HowTos/SELinux

arrow
arrow
    文章標籤
    CENTOS httpd apache
    全站熱搜

    K 發表在 痞客邦 留言(0) 人氣()